Home Verkennen Help
Registreren Inloggen
github
/
spring-security
spiegel van https://github.com/spring-projects/spring-security
2
0
Vork 0
Bestanden Issues 0 Wiki
Bladeren bron

Allow ACL to be owned by GrantedAuthoritySid

Closes gh-9425
Roberto Paolillo 4 jaren geleden
bovenliggende
92b3a7b01b
commit
efb394d3b2
2 gewijzigde bestanden met toevoegingen van 18 en 2 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 8 2
      acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java
  2. 10 0
      acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java

+ 8 - 2
acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java
Bestand weergeven 

@@ -93,11 +93,17 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
 
 				&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
 
 			return;
 
 		}
 
-		// Not authorized by ACL ownership; try via adminstrative permissions
 
-		GrantedAuthority requiredAuthority = getRequiredAuthority(changeType);
 
 
 		// Iterate this principal's authorities to determine right
 
 		Set<String> authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
 
+		if (acl.getOwner() instanceof GrantedAuthoritySid
 
+				&& authorities.contains(((GrantedAuthoritySid) acl.getOwner()).getGrantedAuthority())) {
 
+			return;
 
+		}
 
+
 
+		// Not authorized by ACL ownership; try via adminstrative permissions
 
+		GrantedAuthority requiredAuthority = getRequiredAuthority(changeType);
 
+
 
 		if (authorities.contains(requiredAuthority.getAuthority())) {
 
 			return;
 
 		}

+ 10 - 0
acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java
Bestand weergeven 

@@ -31,6 +31,8 @@ import org.springframework.security.core.GrantedAuthority;
 
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
 
+import static org.mockito.BDDMockito.given;
 
+
 
 /**
 
  * @author Rob Winch
 
  *
 
@@ -66,6 +68,14 @@ public class AclAuthorizationStrategyImplTests {
 
 		this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL);
 
 	}
 
 
+	// gh-9425
 
+	@Test
 
+	public void securityCheckWhenAclOwnedByGrantedAuthority() {
 
+		given(this.acl.getOwner()).willReturn(new GrantedAuthoritySid("ROLE_AUTH"));
 
+		this.strategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_SYSTEM_ADMIN"));
 
+		this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL);
 
+	}
 
+
 
 	@SuppressWarnings("serial")
 
 	class CustomAuthority implements GrantedAuthority {